I am no Sinophobe but I think the pragmatic concern is by being under P.R.C jurisdiction 'certain parties' could either force abandonment of the project by (some of) the original team or compel certain code changes that may not be in the users interest.

No offense to anyone and do not want to imply anything nefarious is about but from what I remember Gogs was even worse in that only a single maintainer inside P.R.C had merge access to the main branch. Also a concern because I might remember something about known vulnerabilities having been outstanding on the issue-tracker when the maintainer was busy.

It's not so much about the issues, but the potential for issues down the line.

For tools like this the aim is always to lay low and expand to reach as far as possible, then once you have a lot of control and trust you can abuse it, often you can abuse it without much loss, because once you have institutional momentum it's very hard to screw it up.

You can't operate on If there's a history of abuse of power, only if there is an incentive. I believe there's a very strong incentive in this case.

I don't really see how can an open source project that you can self host be abused. Do you have any example of that happening?

All you need to do is sneak in something in an update that gives people access to your server, or creates a vulnerability that allows them to get access.

The fact that itself hosted is actually a really huge concern, because this thing is sitting on your local network with no firewall between it and everything else that you run.

It takes very little to put a vulnerability in a piece of code, and unless you have a person combing every commit with a fine tooth comb, even the fact that it's open source cannot prevent that.

No single security measure is bulletproof. Being open source does not counteract the misaligned incentives.